I have a problem setting up a DNAT in POSTROUTING (I really need it for a project).
In the beginning, I tried to set it using iptables with this command:
iptables -t nat -A POSTROUTING -p icmp -d 30.0.0.1 -j DNAT --to-destination 40.0.0.1 but iptables gave me this error iptables v1.8.7 (nf_tables): RULE_APPEND failed (Invalid argument): rule in chain POSTROUTING.
Then I read on the iptables man page that is not possible to do what I'm trying to do.
After that, I tried to do the same thing using nftables using those commands:
nft add table nat
nft 'add chain nat postrouting { type nat hook postrouting priority -100; }'
nft add rule nat postrouting oif wg-1to2 dnat to 40.0.0.1.
But nftables returned me this error Error: Could not process rule: Operation not supported.
I don't think it is possible to set a POSTROUTING DNAT with nftables.
Am I wrong or a, I making some mistakes?
If it is not possible, why? Is it just something that is not implemented?
Are there are some technical problems that make it impossible to be implemented?
How would you solve this problem?
Thanks in advice
NFTABLES: How to DNAT in POSTROUTING
1.8k Views Asked by Francesco Cheinasso At
1
There are 1 best solutions below
Related Questions in NETWORKING
- kernel module does not print packet info
- Packet drops in multicast when multiple instance of listner are running
- Timing packets on a traffic server
- How to use Espresso Idling Resource for network calls
- Dummynet does not match on flows
- Sending a notification from OS X to iOS
- Swift ios viewDidLoad or viewDidAppear
- Update player list on all clients on new connection
- Issues regarding multiplayer networking: input
- nmap does not show all open ports
- Getting and Sending Data between a Server and Client
- Read file from local PC from network deployed app to InputStream
- Does iOS block a URL if we couldn't connect to the URL for 'n' times?
- Is Socket.Available guaranteed to throw a SocketException on disconnect?
- android out of cell service
Related Questions in IPTABLES
- iptables put all forwarding rules in prerouting
- Docker ignores iptable rules when using "-p <port>:<port>"
- debian 8 iptables-persistent
- delete all rules from iptables
- Iptables locking me out of SSH
- Iptables block all ports excet the port 53 (udp,,tcp)
- iptables-restore command failed in iptables v1.4.16.2
- PHP, IPTables, and Request to Flask
- Corresponding rules in MacOS for this Iptables rules
- Node Express Application redirect port 443 requests to port 3000 on hostmonster
- Block external access to docker containers
- Fail2Ban not blocking failed postfix login under plesk
- Shell script to read a file
- Bash Script Command Not Executing
- iptables: forward a single IP/Port to one interface, everything else to another
Related Questions in NAT
- Docker/Boot2Docker: How to run multiple instances of a same container without port forwarding?
- How to change the subnet association from one route table to another route table using terraform?
- how to get tcp connection candidate from twilio stun/turn server?
- Trouble using python request module to make API post call within AWS lambda
- iptables: forward a single IP/Port to one interface, everything else to another
- NAT on Cisco Router between 2 external IP addresses
- Most secure way to run guest apps from host
- Node.js server on local Natted network
- How to Send A UDP packet via public IP through NAT?
- Why Java RMI Callback doesn't work behind NAT router?
- Azure VPN connection and public IP
- Docker's NAT table output chain rule
- Send TCP/UDP packets from the outside to a client behind a router
- DNS records for http web servers behind NAT with different external ports
- Need to use VPN tunnel for class C network using class A tunnel
Related Questions in NETFILTER
- netfilter forward hook point to modify packets
- How can you filter packets by content using native Linux tools such as netfilter?
- Online matching of appliction's requests with responses in Linux Kernel
- skbuff packet sent with zero payload
- Packet filtering with Netfilter's NFQUEUE vs. Berkeley Packet Filter (BPF)
- Difficulties compiling netfilter_queue for in CentOS 5.4 (GCC error)
- How to read data from sk_buff using netfilter kernel module?
- How can a windows app handle ICMP requests?
- Basic Netfilterqueue usage Python
- How to use a custom toolchain with ndk-build?
- Iptables netfilter queue nfq_set_verdict_mark (nfq_set_verdict2) doesn't seem to be applying a mark
- Bypass packets from kernel space to user space
- Recalculating TCP Checksum in Linux Kernel Module
- Add TCP Options
- netfilter event on packet locally processed ( netfilter C kernel module code)
Related Questions in NFTABLES
- nftables blocking local unix sockets
- nftables.conf with set and rules
- Troubleshooting NFTables Table Creation with Go
- Docker.com's IPv4 always changing - Why?
- nftables set: Could not add set with flags interval on command line
- nftables rate limiting per multiple seconds
- Firewall - nftables blocks outbound traffic
- NFTABLES: How to DNAT in POSTROUTING
- How to translate iptables --physdev statements to nftables
- How do I specify a subnet mask when adding a rule in nftables?
- Rule management in nftables
- cast a `&&*const libc::foreignStruct` to a `&libc::foreignStruct`
- WSL Kernel Netfilter hooks for Pre/Post Routing not available
- How to order columns and rows in ftable
- How to do NETMAP by nftables
Trending Questions
- UIImageView Frame Doesn't Reflect Constraints
- Is it possible to use adb commands to click on a view by finding its ID?
- How to create a new web character symbol recognizable by html/javascript?
- Why isn't my CSS3 animation smooth in Google Chrome (but very smooth on other browsers)?
- Heap Gives Page Fault
- Connect ffmpeg to Visual Studio 2008
- Both Object- and ValueAnimator jumps when Duration is set above API LvL 24
- How to avoid default initialization of objects in std::vector?
- second argument of the command line arguments in a format other than char** argv or char* argv[]
- How to improve efficiency of algorithm which generates next lexicographic permutation?
- Navigating to the another actvity app getting crash in android
- How to read the particular message format in android and store in sqlite database?
- Resetting inventory status after order is cancelled
- Efficiently compute powers of X in SSE/AVX
- Insert into an external database using ajax and php : POST 500 (Internal Server Error)
Popular Questions
- How do I undo the most recent local commits in Git?
- How can I remove a specific item from an array in JavaScript?
- How do I delete a Git branch locally and remotely?
- Find all files containing a specific text (string) on Linux?
- How do I revert a Git repository to a previous commit?
- How do I create an HTML button that acts like a link?
- How do I check out a remote Git branch?
- How do I force "git pull" to overwrite local files?
- How do I list all files of a directory?
- How to check whether a string contains a substring in JavaScript?
- How do I redirect to another webpage?
- How can I iterate over rows in a Pandas DataFrame?
- How do I convert a String to an int in Java?
- Does Python have a string 'contains' substring method?
- How do I check if a string contains a specific word?
Francesco, to my understanding, you cannot do DNAT in POSTROUTING.
The reason is that in the (kernel) routing/forwarding code, several parameters get adjusted based on the destination contained in your packets (e.g., next hop, interface where this packet has to be sent from, MAC address to reach the next hop).
If you do DNAT, hence you change the destination address in your packet, the above parameters may become invalid, hence you may need to traverse the routing/forwarding code again. However, given the position of the POSTROUTING hook in the Linux kernel, this is no longer possible. For instance, SNAT is perfectly supported instead.
A possible solution to this problem is to write an eBPF program that does DNAT and adjusts the above parameters. Hope this helps.